The U. T. Austin Information Security Office (ISO) offers a number of security assessment services to colleges, schools and units. Assessment services are available year-round. Each follows a standard engagement process flow and can be customized in many ways to meet the needs of a particular college, school, or unit. These services are provided to the university community at no additional cost. All engagements conducted by the ISO are done so under the authority granted by U. T. System and U. T. Austin policies and Texas state law.
Application Vulnerability Assessment
An Application Security Assessment evaluates the functionality and resilience of an application to known security threats including, but not limited to: buffer overflows, cross site scripting, cross site request forgery, improper data sanitization, injection attacks and weak authentication. This assessment analyzes all components of an application infrastructure including how each component is deployed and how each component communicates with both the client and server environments. A collection of commercial and open-source tools is combined with manual testing to perform this assessment. Application credentials may be requested to conduct a more comprehensive review of a particular application. Typically, some host and network security practices are reviewed as part of an Application Vulnerability Assessment.
College, School, or Unit (CSU) Security Assessment
A CSU Security Assessment is a comprehensive review of an entire infrastructure including host, network, application and environmental controls. This assessment also includes a review of existing policies, procedures, and key business processes.
System Security Assessment
A System Security Assessment analyzes the security of a specific system or group of systems. ISO will look for both local and remotely exploitable vulnerabilities by analyzing access controls, patch levels and system configurations. Collections of commercial and open-source scanning tools are used for this type of assessment. System credentials may be requested to conduct a more comprehensive review of a particular system. Additional hands-on inspection may also be necessary.
Network Vulnerability Assessment
A Network Vulnerability Assessment evaluates a system for vulnerabilities that may be exploited via a network. These vulnerabilities may include such things as missing patches, unnecessary services, weak authentication and weak encryption. This type of assessment may include components of an Application Vulnerability Assessment and a System Security Assessment. Credentials may be requested to conduct a more comprehensive review of a particular system(s). A Network Vulnerability Assessment will help determine how vulnerable a system(s) is to Internet and intranet attacks and whether current operational controls are effective.
Penetration Testing
A Penetration Test evaluates a system for network-based vulnerabilities such as missing patches, unnecessary services, weak authentication and weak encryption. This type of assessment may include components of an Application Vulnerability Assessment and a System Security Assessment. At the discretion of the customer, this type of assessment can be performed with no prior knowledge – meaning the ISO is provided only an IP address(es) prior to the assessment. This allows for a more accurate attack simulation. A Penetration Test will help determine how vulnerable a system(s) is to Internet and intranet attacks, whether intruders can gain access to sensitive information and whether current operational controls are effective.
Physical Security Assessment
A Physical Security Assessment typically involves interviews with key staff, review of existing documentation and a visit to the site to evaluate physical and environmental controls. This type of assessment will help determine whether systems are susceptible to physical attacks and whether environmental controls are adequate.
Compliance Assessments
A compliance assessment involves the ISO auditing (or assisting in the coordination of an audit if the ISO is not trained to conduct the specific audit) systems for compliance with specific regulations:
- UT Austin Information Resources Use and Security Policy
- TAC-202 - missing
- UT System UTS-165
- HIPAA - missing
- FERPA
- The Gramm-Leach Bliley Act (GLBA)
- PCI Standard - missing